Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN

Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN

There are many guides online for setting up client based SSL for websites.

One of the best I've seen so far is dwheeler.com/essays/apache-cac-configuration.html

Now my question is this, and I am sure it is something simple.. How do I setup a server to grant access on a per-file basis, depending on the CN of the client?

If CN=kevinds how can I only allow access to secure.example.com/kevinds.html? CN=tuttle secure.example.com/tuttle.html but not have CN=tuttle access secure.example.com/kevinds.html

Per directory is ok if I have to, secure.example.com/kevinds/kevinds.html but would prefer to keep all files in the same directory..

I keep finding examples on how to allow any client signed by the CA access to all files.. Which works if there was only one certificate accessing the server.

CODE

NameVirtualHost \*:443
<VirtualHost \*:443>
ServerName secure.example.com
SSLRequireSSL
## I have a feeling I should be putting the SSLCertificate lines under the NameVirtualHost rather than VirtualHost?
SSLCertificateFile [Filename for server certificate]
SSLCertificateKeyFile [Filename for server certificate private key]
SSLCertificateChainFile [Filename for root chain certificate]
DocumentRoot /var/www/vhosts/secure
SSLOptions +FakeBasicAuth "%{SSL_CLIENT_S_DN_CN}" +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLVerifyClient require
SSLVerifyDepth 10 #Will have to test but 10 should be sufficient to start?
SSLCACertificateFile [Same file as SSLCertificateChainFile ? Is this needed?]
##This next part is the part I believe I have to tweak?? This allows everyone with a cert access rather than just the user to their specific file
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/vhosts/secure.txt
Require valid-user
</VirtualHost>

Am I close? Way off? Been at this for a few hours.. Feel like I am close now, but still far enough off that I need to ask for help.

> Minor Issue: Anybody know how to change my profile to TechnicalUser? lol I don't see a way yet to edit this..

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.The Tek-Tips staff will check this out and take appropriate action.